Stratos Gerakakis

After a funky incident many years ago, when a collaborator in a European project
(at a point where we were having an argument) decided to circulate one of my
emails, after editing it to his liking, all my bussiness emails are now
electronically signed.

My emails end up being a little more “dirtier”, with all the PGP headers and
footers, but this comes at a very small inconvenience (at least to me)
considering that all my email correspondance is now tamperproof.

I do get the occasional question though (apart from the complains that my emails
look funny) on how to actually check that a given email is valid and the
contents have not be altered.

Here are two ways on how to verify, that an email was indeed sent by me and that
the contents have not been altered.

Note: What follows is going to mess with your head. PGP encryption and
signing is not meant to be used by everyday people. I’ll try my best to give
a gentle overview, but still, it will be messy!

The WARNING that gpg is displaying, is because of the inherent lack of trust
of my public key that you just imported. Is it really my public key that
you downloaded before? Unless you personally verify with me that this is
indeed my key, gpg will always warn you that this is not a trusted key.

You could sign my key, implying that you trust it, and make the warning go
away, but that will mean that you already have your own set of private and
public keys, and at this point I’m not going to turn this into a full gpg
tutorial.

The important thing, so far, is the line above that reads Good signature
from "Stratos Gerakakis <gerakakis@planetek.gr>"

If the message was tampered (try editing the /tmp/message.gpg file) then
the response you would get would be something like:

Verifying with keybase

Keybase is a nice utility/service that encapsulates
a lot of this raw encryption/signing black magic into an easier workflow. It
also allows you to verify your self and establish a level of trust that the
keys that you claim are yours are indeed yours and that you are who you claim
to be. Yes, this thing with the web of trust is very paranoid…

You will need to have the keybase binaries installed from their website in
order to follow through.

Keybase is also doing a lot of other interesting stuff and it’s worth checking
it out, if you’re into that short of thing.

Automatic ways to validate email signatures

Obviously you are not meant to go through the whole procedure for all the
emails. Your emailer program should be able to help verify the signatures of
the emails, through the help of certain extensions/helper utilities.

Once again this is not a full tutorial on how to setup your email program
(I don’t even know what program you’re using) but here is a list of programs
that have capabilities to encrypt and verify emails:

Yes, unfortunately nothing in this worklfow is straightforward and it’s a big
mess, requiring a lot research and field specific knowledge to understand it
all. And by no means I do not claim to be an expert on any of these!